CVE-2025-23200
LibreNMS Misc Section Stored Cross-site Scripting vulnerability
Description
# StoredXSS-LibreNMS-MiscSection **Description:** Stored XSS on the parameter: `ajax_form.php` -> param: state Request: ```http POST /ajax_form.php HTTP/1.1 Host: <your_host> X-Requested-With: XMLHttpRequest X-CSRF-TOKEN: <your_XSRF_token> Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Cookie: <your_cookie> type=override-config&device_id=1&attrib=override_icmp_disable&state="><img%20src%20onerror="alert(1)"> ``` of Librenms version 24.10.1 ([https://github.com/librenms/librenms](https://github.com/librenms/librenms)) allows remote attackers to inject malicious scripts. When a user views or interacts with the page displaying the data, the malicious script executes immediately, leading to potential unauthorized actions or data exposure. The vulnerability in the line: ```php $attrib_val = get_dev_attrib($device, $name); ``` within the `dynamic_override_config` function arises because the value of `$attrib_val is` retrieved from untrusted data without any sanitization or encoding (at [Line 778](https://github.com/librenms/librenms/blob/master/includes/html/functions.inc.php#L778)). When `dynamic_override_config` is called, the unescaped `$attrib_val` is injected directly into the HTML (at [misc.inc.php](https://github.com/librenms/librenms/blob/master/includes/html/pages/device/edit/misc.inc.php)). **Proof of Concept:** 1. Add a new device through the LibreNMS interface. 2. Edit the newly created device and select the Misc section. 3. In any of the following fields: "Override default ssh port", "Override default telnet port", "Override default http port" or "Unix agent port", enter the payload: `"><img src onerror="alert(document.cookie)">`. 4. Save the changes. 5. Observe that when the page loads, the XSS payload executes, triggering a popup that displays the current cookies.   **Impact:** Execution of Malicious Code
How to fix CVE-2025-23200
To remediate CVE-2025-23200, upgrade the affected package to a fixed version below.
- —upgrade to 24.11.0 or later
Is CVE-2025-23200 being exploited?
Low — EPSS is 4.9%, meaning exploitation activity has not been observed at scale.